No doubt about it, the way malicious actors attack their targets through software is changing.
The attack pattern we’re familiar with is fairly direct. Someone finds a vulnerability in deployed software. Malicious actors develop malware to exploit the weakness. They then find a way to reach the deployed software within target companies and use the malware as part of their attack until a patch is deployed. Our defenses against this type of attack have been twofold.
On one side, software buyers use malware detection and response tools on user email, web applications, endpoints, cloud or network file storage to block malware from entering their environments. By blocking known exploits, enterprises prevent some attacks and limit the dwell time for others.
On the other side, software publishers incorporate vulnerability testing and software composition analysis earlier in their development lifecycles and prioritize remediation and mitigation efforts for existing and newly created vulnerabilities. For the most part, vulnerability scanners look for coding patterns or mistakes that make software vulnerable i.e. that leave holes for attackers to reach inside and start manipulating the software or system it runs on to achieve their objectives.
While these defenses aren’t perfect, they have made it harder to reach high-value target companies. Therefore malicious actors looked for alternative ways to reach their targets – by tampering with software supplied by trusted vendors.
The risk posed is unnerving since ENISA’s analysis of software supply chain attacks from Jan 2020 through Jul 2021 reported that “an organization could be vulnerable to a supply chain attack even when its own defenses are quite good.” In other words, finding and patching software vulnerabilities isn’t sufficient for dealing with the more sophisticated supply chain risks.
To understand why and what to do about it, we first must understand the differences between software vulnerability detection and finding software tampering. Hence my webinar on the topic, which will also cover indicators that must be detected, what software artifacts must be assessed, and when assessments must occur.
If you missed the “3 Ways Detecting Software Tampering Differs From Finding Software Vulnerabilities” webinar, you can now watch it on-demand here.
